MS10-015 Issues Confirmed to be Caused by Alureon Rootkit
When Microsoft released their February Security Bulletins, there were reports that one of the bulletins, MS10-015 was leading to blue screens on rebooting for some Windows XP systems. Advice was quickly pushed out by a number of sources that allowed users to rollback the bulletin and get some functionality back with their system, and Microsoft began taking a closer look at the issue.
It has now been confirmed that the issue encountered was a result of malware infection, as many had suspected. The particular malware family identified is the Alureon rootkit. The blue screen that results after applying MS10-015 is due to the changes the rootkit has made to the Windows kernel, leaving it unstable and eventually broken following the changes MS10-015 makes within the Windows kernel. The referenced MSRC blog post specifically identifies that the Alureon rootkit looks for a specific memory address to access Windows code. When MS10-015 changed the location of that code, it left Alureon without the function it was trying to call and it resulted in system instability and the blue screen crashes.
Further remediation advice has been provided by Microsoft's Malware Protection Center, which points out that recovering from the rolling reboot / blue screen issue caused by Alureon can be as simple as overwriting the corrupted / infected system driver with a known clean copy. The most common system driver affected by this particular rootkit is atapi.sys.
The malware authors have also responded to the issue and have updated their rootkit to no longer point to hardcoded memory locations, meaning new installations of the rootkit will no longer blue screen Windows XP systems.
23 February 2010
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.